[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM access policy may be circumvented

From: Brian Murphy
Subject: Re: PAM access policy may be circumvented
Date: Sun, 12 Oct 2003 18:18:55 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030529

Marc Singer wrote:

On Sat, Oct 11, 2003 at 06:48:47PM +0200, Brian Murphy wrote:
This is *not* the PAM support in cvs that you refer to. The PAM patch
in cvs chooses either PAM or traditional /etc/passwd support but not

See for yourself.  Here's the source from server.c.

#line 5869 server.c
#ifdef HAVE_PAM
   if (system_auth)
       host_user = check_pam_password (username, descrambled_password, 
#endif /* HAVE_PAM */

   if(NULL == host_user)
       host_user = check_password (username, descrambled_password, repository);

   if (host_user == NULL)

When the check_pam_password () call fails, CVS will then call
check_password ().  check_password () is the non-PAM call to verify a
user's identity.  Thus, when PAM fails, CVS does a fall-back to the
non-PAM authentication.  My change was simply to #ifndef HAVE_PAM on
the check_password () call.


Sorry, but you must be using another patch than the one in the official cvs source repository. The official 1.11.x branch has no PAM support. The new PAM support in the 1.12 branch was written by me and has nothing that looks like the lines above in it. Please check out/download the official releases to see for yourself. In fact no official release has been made with PAM
support as the changes are after the unstable branches' last release.

I know for instance that debian patches CVS for PAM support - perhaps you use debian and
have looked at their patched source?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]